The Sarbanes-Oxley Act of 2002 was passed by Congress to better protect investors. Section 404 of this act (SOX 404) requires companies to review their internal controls over financial reporting (ICFR) and declare whether they are “effective” or “ineffective”. In other words, they must determine if their ICFR are adequate enough to produce financial statements that are accurate and complete. Smaller companies, or non-accelerated filers, are not required to file an auditor attestation; they are only required to file management’s assessment of the company’s ICFR.
Audit Analytics’ annual SOX 404 report takes a closer look at trends in SOX 404 disclosures. SOX 404 Disclosures: A Fourteen Year Review considers both auditor’s attestations and management-only assessments.
The number of adverse auditor attestations (those disclosing ineffective ICFR) has shaped an interesting path over the last fourteen years. As shown in the graph below, there were 176 adverse attestations for fiscal year 2017, a 28% decrease from the 246 attestations in 2016.
Unlike auditor attestations, the number of management-only assessments did not reflect the same increases after 2010. In fact, the totals barely changed from 2011-2013 and have dropped every year since. 2017’s total of 1,191 is the second lowest number of adverse management-only assessments over the eleven year span.
The percentage of auditor attestations disclosing ineffective ICFR increased after the low in 2010 and reached a local maximum of 6.7% in 2016, dropping to 4.9% in 2017, a figure similar to those from 2009-2013.
However, a different trend is revealed when looking at the percentage of adverse management- only assessments. In 2007 (the first year non-accelerated filers were required to make assessments), 30% of small companies disclosed ineffective ICFR. The percentages increased for the following seven consecutive years to reach a high of 40.8% in 2014. Although this number has dropped in 2015, 2016, and 2017, it is worth noting that at least one-third of non-accelerated filers disclosed ineffective ICFR every year since (and including) 2009.
So which internal controls- related issues are leading auditors to the conclusion that a company’s ICFR were not effective? According to the report, of the 176 auditor attestations disclosing ineffective ICFRs in 2017, 115 (or 65%) concluded an inadequacy due to issues requiring year-end adjustments. The second most common reason expressed by auditors were issues regarding accounting personnel resources, competency, and training. Other top reasons included inadequate disclosure controls, segregations of duties/ design of controls information technology, and software, security & access issues.
The top IC-related issue leading management to the conclusion that the company’s ICFR were not effective was due, in part, to insufficient accounting personnel resources, competency and training. Likewise, the second and third reasons also concerned staffing issues. Other issues topping the list included inadequate disclosure controls and material and/or numerous auditor or year-end adjustments.
To learn more about SOX 404 disclosures or to request a copy of the full report, e-mail info@auditanalytics.com or call 508-476-7007.